A plea for network defenders and software manufacturers to fix common problems

Executive summary of NSA and CISA

Executive summary
The National Security Agency (NSA) and Cybersecurity and Infrastructure Security
Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the
most common cybersecurity misconfigurations in large organizations, and detail the
tactics, techniques, and procedures (TTPs) actors use to exploit these
misconfigurations.
Through NSA and CISA Red and Blue team assessments, as well as through the
activities of NSA and CISA Hunt and Incident Response teams, the agencies identified
the following 10 most common network misconfigurations:
1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution
These misconfigurations illustrate (1) a trend of systemic weaknesses in many large
organizations, including those with mature cyber postures, and (2) the importance of
software manufacturers embracing secure-by-design principles to reduce the burden on
network defenders:
 Properly trained, staffed, and funded network security teams can implement the
known mitigations for these weaknesses.

 Software manufacturers must reduce the prevalence of these
misconfigurations—thus strengthening the security posture for customers—by
incorporating secure-by-design and -default principles and tactics into their
software development practices.[1]
NSA and CISA encourage network defenders to implement the recommendations found
within the Mitigations section of this advisory—including the following—to reduce the
risk of malicious actors exploiting the identified misconfigurations.
 Remove default credentials and harden configurations.
 Disable unused services and implement access controls.
 Update regularly and automate patching, prioritizing patching of known exploited
vulnerabilities.[2]
 Reduce, restrict, audit, and monitor administrative accounts and privileges.
NSA and CISA urge software manufacturers to take ownership of improving security
outcomes of their customers by embracing secure-by-design and-default tactics,
including:
 Embedding security controls into product architecture from the start of
development and throughout the entire software development lifecycle (SDLC).
 Eliminating default passwords.
 Providing high-quality audit logs to customers at no extra charge.
 Mandating MFA, ideally phishing-resistant, for privileged users and making MFA
a default rather than opt-in feature.

Contents of NSA and CISA

NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations . 1
Executive summary…………………………………………………………………………………………… 1
Technical details ………………………………………………………………………………………………. 6
Overview………………………………………………………………………………………………………. 6
1. Default configurations of software and applications…………………………………………. 7
Default credentials ……………………………………………………………………………………… 7
Default service permissions and configuration settings…………………………………….. 8
2. Improper separation of user/administrator privilege…………………………………………. 9
Excessive account privileges ……………………………………………………………………… 10
Elevated service account permissions …………………………………………………………. 10
Non-essential use of elevated accounts……………………………………………………….. 11
3. Insufficient internal network monitoring………………………………………………………… 11
4. Lack of network segmentation ……………………………………………………………………. 12
5. Poor patch management …………………………………………………………………………… 12
Lack of regular patching…………………………………………………………………………….. 12
Use of unsupported OSs and outdated firmware …………………………………………… 13
6. Bypass of system access controls………………………………………………………………. 13
7. Weak or misconfigured MFA methods…………………………………………………………. 13
Misconfigured smart cards or tokens …………………………………………………………… 13
Lack of phishing-resistant MFA…………………………………………………………………… 14
8. Insufficient ACLs on network shares and services ………………………………………… 14
9. Poor credential hygiene…………………………………………………………………………….. 15
Easily crackable passwords ……………………………………………………………………….. 15
Cleartext password disclosure ……………………………………………………………………. 16
10. Unrestricted code execution …………………………………………………………………….. 16
Mitigations ……………………………………………………………………………………………………… 17
Network defenders ………………………………………………………………………………………. 17
Mitigate default configurations of software and applications ……………………………. 17
Mitigate improper separation of user/administrator privilege ……………………………. 19
Mitigate insufficient internal network monitoring…………………………………………….. 20
Mitigate lack of network segmentation …………………………………………………………. 21
Mitigate poor patch management………………………………………………………………… 22

…..To Continue with the post follow the original link post 

Our Best Selling eLearning format Professional Training, Exam, Certification are:

ISO 27001 Lead Auditor / Implementer

ISO 22301 Lead Auditor / Implementer

ISO 27005 Lead Risk Manager

ISO 31000 Risk Manager